Scattered Spider, or UNC3944, is a financially motivated threat actor known for its clever use of social engineering tactics to infiltrate target devices. They are persistent, stealthy, and swift in their operations. Once inside, Scattered Spider avoids specialized malware and instead relies on reliable remote management tools to maintain access.
In December 2022, CrowdStrike uncovered a concerning campaign by Scattered Spider, targeting the telecom and business process outsourcing sectors to gain entry into mobile carrier networks. Since then, their activities have continued, and they even attempted to exploit an old malicious kernel driver vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver of a targeted system. Let’s explore Scattered Spider's tactics and techniques while highlighting essential security controls and detections.
As previously mentioned, in December of 2022, CrowdStrike released a report detailing a targeted campaign orchestrated by Scattered Spider. Their focus was on organizations in the telecom and business process outsourcing (BPO) sectors, with the ultimate goal of infiltrating mobile carrier networks. Scattered Spider attacks have surged significantly, with a focus on nations like the United States, the United Kingdom, Germany, France, Italy, Canada, Australia, and Japan.
Starting in June 2022 and extending through the winter months, security researchers identified a total of five intrusions carried out by the attackers. The primary objective of their December 2022 campaign was to breach telecom network systems, gain access to subscriber information, and perform operations like SIM swapping. During that time, the threat actor successfully utilized CVE-2021-35464, a vulnerability in the ForgeRock AM server, to execute code and elevate their privileges over the Apache Tomcat user on an AWS instance. They achieved this by acquiring and leveraging the permissions of an instance role through a compromised AWS token.
Image 1: Five Intrusions
In the majority of investigations conducted by CrowdStrike, the initial access by the Scattered Spider was achieved through social engineering tactics. They used methods like phone calls, SMS, or Telegram to impersonate IT staff. The victims were then directed to either visit a fake website with the company logo, where they were tricked into entering their credentials, or to download a Remote Monitoring and Management (RMM) tool that would give the threat actor remote control over their system.
In cases where Multi-Factor Authentication (MFA) was enabled, the Scattered Spider used various techniques. They would directly engage the victim and convince them to share their one-time password (OTP). Also, the threat actor used a method called "MFA push-notification fatigue," repeatedly sending MFA challenges to the victim until they eventually accepted the prompt.
In a separate investigation conducted by CrowdStrike, Scattered Spider utilized compromised credentials obtained from a victim user to gain unauthorized access to the organization's Azure tenant. Once inside, they created Azure Virtual Machines (VMs) to carry out activities involving credential theft and lateral movement towards on-premises systems. Once the threat actors gain access to a system, they try to add their own devices to the list of trusted MFA devices using the compromised user account. Scattered Spider uses the following utilities and remote monitoring and management tools to maintain persistent access:
Because the above tools are not malicious, they evade generating alerts and are not commonly blocked by endpoint detection and response (EDR) technology.
A recurring strategy observed is Scattered Spider’s use of a standard naming pattern, such as "DESKTOP-<7 alphanumeric characters>," when connecting their own systems to the victim organization's VPNs. Additionally, when setting up systems within the victim’s virtual desktop infrastructure, the threat actor imitated the organization's established naming conventions.
Also, Scattered Spider has focused on VMware ESXi hypervisors. In one case observed by CrowdStrike, they installed two specific tools, namely, the open-source rsocx reverse proxy and the Level remote monitoring and management (RMM) tool, on an ESXi appliance. In different instance, the threat actor used the open-source port scanner tool RustScan, executing it from a Docker container that was active on an ESXi appliance.
Scattered Spider targets environments that are widely used by various industries and sectors, including Windows, Linux, Google Workspace, AzureAD, M365, and AWS. They gather information from SharePoint and OneDrive, seeking details like VPN and MFA information, guides, and help desk instructions.
In one case, they accessed Azure Active Directory and obtained user data, including privileged users. Scattered Spider uses different tactics like domain replication, WMI lateral movement, SSH tunneling, and remote access tools during investigations. They also download tools from websites like file[.]io, GitHub, and paste[.]ee using victim organization systems. As for exfiltrating data, they utilize the site transfer[.]sh.
By January 2023, CrowdStrike observed Scattered Spider attempting to deploy a Bring Your Own Vulnerable Driver (BYOVD) attack via an old kernel vulnerability (CVE-2015-2291), leveraging vulnerable third-party drivers as a way to evade detection by EDR. The BYOVD technique is when threat actors incorporate a kernel-mode driver with known vulnerabilities into their attacks to elevate privileges in Windows and exploit the system further. CVE-2015-2291 was fixed in 2015, but Scattered Spider may still be able to exploit it by placing an older version on compromised devices.
Device drivers have kernel access to the operating system. Because attackers exploit flaws in these drivers, this new tactic could allow Scattered Spider to run code with the highest privileges in Windows. Scattered Spider tried to use the BYOVD technique to evade Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne.
In 2021, Microsoft warned that adversaries were increasingly using legitimate drivers and their security vulnerabilities to execute malware. To counter this, Microsoft planned to block drivers with confirmed security flaws on Windows 10 devices using their Defender for Endpoint attack surface reduction (ASR) and Windows Defender Application Control (WDAC) technologies. This measure aimed to protect devices from exploits involving vulnerable drivers attempting to gain access to the kernel. Despite being highlighted by numerous security researchers in the past two years, the problem persists because Microsoft does not block vulnerable drivers by default.
During investigation, CrowdStrike discovered several versions of a malicious driver, each signed by different certificates and authorities. Some certificates were stolen from NVIDIA and Global Software LLC, while others were self-signed as test certificates. The purpose of these actions is to disable the visibility and prevention capabilities of endpoint security products, enabling the threat actor to proceed without being detected. These driver samples are compact, 64-bit Windows kernel drivers, containing fewer than 35 functions.
Image 2: Example Driver with SHA256 Hash
The sample driver's build time is set to January 1, 1970, at 00:01:35 UTC. It contains various status messages and calls to DbgPrintEx() to provide updates to the threat actor. The file is signed with a certificate issued to "Global Software, LLC" and has the following parameters:
Interestingly, this same certificate has been used to sign other malicious files since at least 2018, indicating that other threat actors may also possess copies of it.
In October 2022, two alarming incidents shed light on the dangers of Bring Your Own Vulnerable Device (BYOVD) attacks, highlighting the potential threats organizations face. Firstly, the BlackByte ransomware group utilized the CVE-2019-16098 vulnerability in Micro-Star's MSI AfterBurner 220.127.116.1158 to disable over 1,000 drivers, causing widespread disruption and damage.
Secondly, during the same month, the North-Korean state-sponsored APT Lazarus executed sophisticated spear-phishing campaigns targeting Belgium and the Netherlands. These campaigns strategically employed the BYOVD technique, exploiting the CVE-2021-21551 vulnerability in Dell's dbutil hardware driver.
Such attacks, exploiting known vulnerabilities in third-party drivers, exemplify the risks that BYOVD poses for organizations, allowing threat actors to compromise systems, inflict financial losses, and disrupt critical operations. It underscores the urgent need for organizations to bolster their defense mechanisms and implement robust security measures to mitigate these evolving threats.
command and control
|T1190: Exploit Public Facing Application
|T1053: Scheduled Task/Job
|T1106: Native API
|T1056: Input Capture
|T113: External Remote Services
|T1059: Command and Scripting Interpreter
|T1564: Hide Artifact
|T1115: Clipboard Data
Please Note: The subsequent guidelines are based on CrowdStrike's comprehensive list of security controls, and we strongly advise their implementation.
AWS Token Pivoting
Enforce Azure Conditional Access Policies (CAP):
Script Executed on EC2 Instance
Detects usage of the SendCommand api call to a managed instance
Terminal Spawned via Special Administration Console
Detects a terminal process spawned by the Special Administration Console.
AWS STS AssumeRole Misuse
Detects suspicious use of AssumeRole.
Note: A complete list of IoCs related to Scattered Spider can be found here.
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.